Allow auto-generation of library/certs.c from tests/data_files #2596
Conversation
hanno-becker
added
enhancement
mbed TLS team
needs-review
|
@mpg @gilles-peskine-arm What's your view on this PR? As it stands, every modification of CRT or key files is prone to introduce a mismatch between |
This commit adds the script scripts/generate_certs.sh which parses library/certs.c and inserts certificate and key files for any block of the form /* BEGIN FILE [string|binary] [variable|macro] NAME FILE */ ... /* END FILE */ Here, the first argument string / binary indicates whether the file should be inserted as a string or as a binary array. The second argument indicates whether the resulting object should be registered as a C variable or a macro. This script allows to easily update certs.c in case any of the test certificates from tests/data_files change, or new test certificates / keys need to be added.
Re-generate library/certs.c from the data files in tests/data_files using scripts/generate_certs.sh added in the last commit. Signed-off-by: Hanno Becker <[email protected]>
|
@hanno-arm I'd be inclined to go with this script for starters. We can always rewrite in Python or otherwise later, but IMO this script is an improvement over the existing situation. |
|
@mpg Ok, I'll clean up and rebase this PR, then 👍 |
A previous modification had erroneously overwritten the generation of `server1.crt.der` as the DER-form of `server1.crt` by some CRT generation command, and re-introduced the previous name `server1.der` for `server1.crt.der`. Signed-off-by: Hanno Becker <[email protected]>
Signed-off-by: Hanno Becker <[email protected]>
hanno-becker
force-pushed
the
autogenerated_test_certs
branch
from
e345c8e to
955d7ff
Compare
hanno-becker
changed the title
hanno-becker
added
needs-ci
|
I like the general approach to generate Please add the script to I'd prefer for the new script to be in Python. More team members know Python than sh and the language has fewer gotchas. I'm not sure if |
|
FYI this script doesn't work on 2.7 because it doesn't have “BEGIN FILE”…“END FILE” markers. That's not a big deal, just something extra to do in the backports. More concerning, running this script on mbedtls-2.7 has no effect if I use bash, but with dash, it mangles the file: |
|
I also think it would be much better for the script to be written in Python. @hanno-arm do you think you would have time, would fancy rewriting the script in Python? |
daverodgman
added
the
needs-reviewer
gilles-peskine-arm
added
needs-work
and removed
needs-ci
tom-cosgrove-arm
added
historical-reviewed
|
Closing this in favour of #5986, which does the same thing in Python |
Summary: This PR annotates the hardcoded test certificates and keys in
library/certs.cwith a formal comment syntax describing their type and origin intests/data_files, and adds a scriptscripts/generate_certs.shwhich parses these comments and updates the hardcoded data. This aims to simplify the synchronization oftests/data_fileswithlibrary/certs.cas well as the addition of new test data. This was suggested by @AndrzejKurek in #2260.This is based on #2260.